Snort mailing list archives

Re: snort does not sent reset in freebsd/ipfw inline mode

From: Rajkumar S <rajkumars () gmail com>
Date: Thu, 20 Jan 2011 21:42:09 +0530

Just an update on this:

reset is being sent when I tried with Snort Version 2.8.6.1 (Build 39)
inline FreeBSD

So this might indicate a bug in 2.9.0.3

raj

On Wed, Jan 19, 2011 at 11:30 PM, Rajkumar S <rajkumars () gmail com> wrote:

Hello,

I am testing snort 2.9.0.3 with inline  under FreeBSD 6.2-RELEASE-p12
and IPFW. Every thing seems working except that no packet gets dropped
or reset is being sent.


I am using snort Version 2.9.0.3 (Build 98) FreeBSD which is compiled
with following options:
./configure  --enable-flexresp3 --enable-react  --enable-active-response

My snort.conf is as follows:
var HOME_NET 192.168.3.0/24
portvar HTTP_PORTS  [80]

config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config checksum_mode: all
config pcre_match_limit: 1500
config pcre_match_limit_recursion: 1500
config detection: search-method ac-bnfa max_queue_events 5
config event_queue: max_queue 8 log 3 order_events content_length

preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp
no, max_active_responses 2, min_response_seconds 5
preprocessor stream5_tcp: policy windows, use_static_footprint_sizes,
ports client 21 22 23 25 42 53 79 80 109 110 111 113 119 135 136 137
139 143 110 111 161 445 513 514 691 1433 1521 2100 2301 3128 3306 6665
6666 6667 6668 6669 7000 8000 8080 8180 8888 32770 32771 32772 32773
32774 32775 32776 32777 32778 32779, ports both 443 465 563 636 989
992 993 994 995 7801 7702 7900 7901 7902 7903 7904 7905 7906 6907 7908
7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920

reject tcp $HOME_NET any -> any $HTTP_PORTS (msg:"Unauthorized Access
Prohibited!"; resp:rst_all; sid:1; rev: 1;)

The command line I use to start snort is:
snort -vQ -c /usr/local/etc/snort/snort.conf -A fast -h 192.168.3.0/24
-s --daq ipfw --daq-var port=8100 --alert-before-pass

IPFW rules are:
02000 divert 8100 tcp from any to any dst-port 80
02100 allow ip from any to any
65535 deny ip from any to any

When I send a single http get traffic via snort I get the following
alerts in alert file 7 times.

01/19-23:13:22.087778  [Drop] [**] [1:1:1] Unauthorized Access
Prohibited! [**] [Priority: 0] {TCP} 192.168.3.19:50471 ->
xx.135.40.xxx:80

I am able to see packets printed out in snort output when I start
snort, ie snort is getting packets from divert socket and if snort is
not running packets are not being forwarded. So all packets are being
seen and approved by snort.

I have posted the full snort output at http://pastebin.com/9F2y4m5k

The output start with following lines:

Enabling inline operation
Running in IDS mode

and startup sequence ends with:

[ Port Based Pattern Matching Memory ]
ipfw DAQ configured to inline.

       --== Initialization Complete ==--

  ,,_     -*> Snort! <*-
 o"  )~   Version 2.9.0.3 (Build 98) FreeBSD
  ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
          Copyright (C) 1998-2010 Sourcefire, Inc., et al.
          Using libpcap version 1.1.1
          Using PCRE version: 8.12 2011-01-15

After pressing Ctrl-C I can also see the following output:

Action Stats:
    Alerts:            7 ( 36.842%)
    Logged:            7 ( 36.842%)
    Passed:            0 (  0.000%)
Match Limit:            0
Queue Limit:            0
 Log Limit:            0
Event Limit:            0
Verdicts:
     Allow:           12 ( 63.158%)
     Block:            0 (  0.000%)
   Replace:            0 (  0.000%)
 Whitelist:            0 (  0.000%)
 Blacklist:            7 ( 36.842%)
    Ignore:            0 (  0.000%)

I get 7 alerts and logs and all of them happen to be Blacklist and not
Blocks but the alert logs shows [Drop].

I guess there is some configuration problem in my snort conf or rule
which is causing snort not the actually block the traffic.

Any help to get this working is much appreciated.

with regards,

raj


------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort does not sent reset in freebsd/ipfw inline mode Rajkumar S (Jan 19)
- Re: snort does not sent reset in freebsd/ipfw inline mode Rajkumar S (Jan 20)
  - Re: snort does not sent reset in freebsd/ipfw inline mode Russ Combs (Jan 28)
    - Re: snort does not sent reset in freebsd/ipfw inline mode Rajkumar S (Feb 03)
- Re: snort does not sent reset in freebsd/ipfw inline mode Michael Scheidell (Feb 04)
  - Re: snort does not sent reset in freebsd/ipfw inline mode Russ Combs (Feb 07)